Tag Archive: modern authentication


How the Modern Authentication Protocol Works

Once Modern Authentication is enabled a user will authenticate with one of the Office 365 services and they will be issued both an Access Token and a Refresh Token.  The Access Token is a short-lived token, valid for about 1 hour’s time.  The Refresh Token is longer-lived and can by valid for up to 90 days in some cases.  These longer cases include frequent use and when the user’s password has not changed.  The Access Token is what is used to gain access to the Office 365 services, and when the Access Token expires the Office client will present the Refresh Token to Azure Active Directory and request a new Access Token to use with the service.  The default lifetime for a Refresh Token is 14 days.  Features such as Conditional Access Policies may force users to sign-in again even though the Refresh Token is still valid.

How to use Modern Authentication

Client supportability

Modern Authentication is automatically on for Office 2016 client apps.

To enable modern authentication for any devices running Windows (for example on laptops and tablets) that have Microsoft Office 2013 installed, you need to set the following registry keys. The keys have to be set on each device that you want to enable for modern authentication:

REGISTRY KEY TYPE VALUE
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL REG_DWORD 1
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version REG_DWORD 1

These can be changed manually or through a Group Policy object.

Office 2013 must be build 15.0.4605.1003 or higher (March 2015 PU)

Other Operating Systems

Modern authentication uses OAuth 2.0 standards and is supported on multiple platforms, including OSX, iOS, Android, and Windows.

Client supportability matrix: https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/

Must be using MAPI / HTTP

We need to validate that every client is using MAPI over HTTP as this is a requirement for Modern Authentication.

The support article KB2937684 gives you some more info around ensuring MAPI-HTTP is enabled for your Office 2013/2016 client.

Office 365 services

Exchange Online is off by default.

  1. Connect to Exchange Online PowerShell as shown here.
  2. Run the following command in Exchange Online PowerShell:

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

  1. To verify that the change was successful, run the following command in Exchange Online PowerShell:

Get-OrganizationConfig

Format-Table -Auto Name,OAuth*

SharePoint Online is on by default.

Skype for Business Online is off by default.

  1. Connect to Skype for Business Online using remote PowerShell: https://aka.ms/SkypePowerShell 
  2. Run the following command:

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

  1. Verify that the change was successful by running the following:

Get-CsOAuthConfiguration

How Modern Authentication Works for Office 2016 / 2013

Office 2016 clients support modern authentication by default, and no action is needed for the client to use these new flows. However, explicit action is needed to use legacy authentication.

Office 2013 client apps support legacy authentication by default. Legacy means that they support either Microsoft Online Sign-in Assistant or basic authentication. For these clients to use modern authentication features, the Windows client must have registry keys set. (See notes above)

Exchange Online

Office client app version Registry key present? Modern authentication on? Authentication behavior with modern authentication turned on for the tenant Authentication behavior with modern authentication turned off for the tenant (default)
Office 2016 No, or EnableADAL = 1 Yes Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled.
Office 2016 Yes, EnableADAL = 1 Yes Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled.
Office 2016 Yes, EnableADAL=0 No Basic authentication Basic authentication
Office 2013 No No Basic authentication Basic authentication
Office 2013 Yes, EnableADAL = 1 Yes Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled.

Source: https://support.office.com/en-us/article/How-modern-authentication-works-for-Office-2013-and-Office-2016-client-apps-e4c45989-4b1a-462e-a81b-2a13191cf517#bk_echangeonline

SharePoint Online

Office client app version Registry key present? Modern authentication on? Authentication behavior with modern authentication turned on for the tenant (default) Authentication behavior with modern authentication turned off for the tenant
Office 2016 No, or EnableADAL = 1 Yes Modern authentication only. Failure to connect.
Office 2016 Yes, EnableADAL = 1 Yes Modern authentication only. Failure to connect.
Office 2016 Yes, EnableADAL = 0 No Microsoft Online Sign-in Assistant only. Microsoft Online Sign-in Assistant only.
Office 2013 No No Microsoft Online Sign-in Assistant only. Microsoft Online Sign-in Assistant only.
Office 2013 Yes, EnableADAL = 1 Yes Modern authentication only. Failure to connect.

Source: https://support.office.com/en-us/article/How-modern-authentication-works-for-Office-2013-and-Office-2016-client-apps-e4c45989-4b1a-462e-a81b-2a13191cf517#bk_sharepointonline

Skype for Business Online

Office client app version Registry key present? Modern authentication on? Authentication behavior with modern authentication turned on for the tenant Authentication behavior with modern authentication turned off for the tenant (default)
Office 2016 No, or EnableADAL = 1 Yes Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled.
Office 2016 Yes, EnableADAL = 1 Yes Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled.
Office 2016 Yes, EnableADAL = 0 No Microsoft Online Sign-in Assistant only. Microsoft Online Sign-in Assistant only.
Office 2013 No No Microsoft Online Sign-in Assistant only. Microsoft Online Sign-in Assistant only.
Office 2013 Yes, EnableADAL = 1 Yes Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. Microsoft Online Sign-in Assistant only.

Source: https://support.office.com/en-us/article/How-modern-authentication-works-for-Office-2013-and-Office-2016-client-apps-e4c45989-4b1a-462e-a81b-2a13191cf517#bk_sfbo

Additional Notes

ADFS

With modern authentication, all clients will use Passive Flows (WS-Federation), and will appear to be browser traffic to AD FS.

ADFS client access filtering policies

Once Modern Authentication has been enabled, any client access filtering policies will need to be changed as follows:

Current client access filtering policy After enabling  modern authentication Action needed
1 Block all external access to Office 365 Continue to rely on existing ADFS policies (client traffic now comes in on WS-Federation endpoint) None
2 Block all external access to Office 365 except Exchange ActiveSync Continue to rely on existing ADFS policies (client traffic now comes in on WS-Federation endpoint) None
3 Block all external access to Office 365 except Browser-based apps Implement conditional policies in Office 365/Azure AD to block “Rich Client” traffic (allow on ADFS). This scenario is not yet supported for public preview and we recommend organizations that rely on this scenario to not onboard their tenants for modern authentication.

Source:  https://social.technet.microsoft.com/wiki/contents/articles/30253.office-2013-and-office-365-proplus-modern-authentication-and-client-access-filtering-policies-things-to-know-before-onboarding.aspx

Advertisements

AzureAD-Office 354 Tokens Lifetime

How the Modern Authentication Protocol Works

Once Modern Authentication is enabled a user will authenticate with one of the Office 365 services and they will be issued both an Access Token and a Refresh Token.  The Access Token is a short-lived token, valid for about 1 hour’s time.  The Refresh Token is longer-lived and can by valid for up to 90 days in some cases.  These longer cases include frequent use and when the user’s password has not changed.  The Access Token is what is used to gain access to the Office 365 services, and when the Access Token expires the Office client will present the Refresh Token to Azure Active Directory and request a new Access Token to use with the service.  The default lifetime for a Refresh Token is 14 days.  Features such as Conditional Access Policies may force users to sign-in again even though the Refresh Token is still valid.

You can specify the lifetime of a token issued by Azure Active Directory (Azure AD). You can set token lifetimes for all apps in your organization, for a multi-tenant (multi-organization) application, or for a specific service principal in your organization.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes

Configurable token lifetime properties

Property Policy property string Affects Default Minimum Maximum
Access Token Lifetime AccessTokenLifetime Access tokens, ID tokens, SAML2 tokens 1 hour 10 minutes 1 day
Refresh Token Max Inactive Time MaxInactiveTime Refresh tokens 90 days 10 minutes 90 days
Single-Factor Refresh Token Max Age MaxAgeSingleFactor Refresh tokens (for any users) Until-revoked 10 minutes Until-revoked1
Multi-Factor Refresh Token Max Age MaxAgeMultiFactor Refresh tokens (for any users) Until-revoked 10 minutes Until-revoked1
Single-Factor Session Token Max Age MaxAgeSessionSingleFactor2 Session tokens (persistent and nonpersistent) Until-revoked 10 minutes Until-revoked1
Multi-Factor Session Token Max Age MaxAgeSessionMultiFactor3 Session tokens (persistent and nonpersistent) Until-revoked 10 minutes Until-revoked1
  • 1365 days is the maximum explicit length that can be set for these attributes.
  • 2If MaxAgeSessionSingleFactor is not set, this value takes the MaxAgeSingleFactor value. If neither parameter is set, the property takes the default value (until-revoked).
  • 3If MaxAgeSessionMultiFactor is not set, this value takes the MaxAgeMultiFactor value. If neither parameter is set, the property takes the default value (until-revoked).

 

Example token lifetime policies

Many scenarios are possible in Azure AD when you can create and manage token lifetimes for apps, service principals, and your overall organization. In this section, we walk through a few common policy scenarios that can help you impose new rules for:

  • Token Lifetime
  • Token Max Inactive Time
  • Token Max Age

In the examples, you can learn how to:

  • Manage an organization’s default policy
  • Create a policy for web sign-in
  • Create a policy for a native app that calls a web API
  • Manage an advanced policy

Prerequisites

In the following examples, you create, update, link, and delete policies for apps, service principals, and your overall organization. If you are new to Azure AD, we recommend that you learn about how to get an Azure AD tenant before you proceed with these examples.

To get started, do the following steps:

  1. Download the latest Azure AD PowerShell Module Public Preview release.
  2. Run the Connect command to sign in to your Azure AD admin account. Run this command each time you start a new session.
    PowerShellCopy
    Connect-AzureAD -Confirm
    
  3. To see all policies that have been created in your organization, run the following command. Run this command after most operations in the following scenarios. Running the command also helps you get the ** ** of your policies.
    PowerShellCopy
    Get-AzureADPolicy